How to remove CryptoPHP malware – Scan Now

What is CryptoPHP?

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

This malware can be controled via a remote server or email. This is a well written piece of code, it can have ,

Auto integrate into most of the CMS like joomla, wordpress , drupal ,etc,.
It is encrypted key based communication between the affected server and control server
Backup and failover mechanisam incase of shut down
Remote manual management , auto update ,etc,.
Thousands of servers and websites affected by this malware. Our clients servers with proactive management are already scanned and protected from this threat . It looks like the inspection limit is increasing.

If you have some shell experience , please use the following methods for identifying the malware

1) Quick check for social*.png files ,

find /home/ -type f -iname "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

if you see any files from the above result , then you must delete those files immediately,

2) Check all png file ,

find /home -type f -iname '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/cryptoinfected.txt

Now check all the files listed in /root/cryptoinfected.txt and remove it

3) Check all other files,

You must need to check all other files too , because it is not only infected by png fines and jpeg files,

4) Use clamav or maldetect,

You may please update your clamav database and maldetect database . After that run a scan , this will detect the mallware

maldetect -U

EDIT : Further investigation found that this malware seems to be attached via email attachments too, so you may need to scan the server email accounts too.